legitimate modification of the registry key by legitimate program

t1112
windows
sigma

Techniques

t1112

Sample rules

Run Once Task Configuration in Registry

source: sigma
technicques:
- t1112

Description

Rule to detect the configuration of Run Once registry key. Configured payload can be run by runonce.exe /AlternateShellStartup

Detection logic

condition: selection and not 1 of filter_optional_*
filter_optional_chrome:
  Details|contains|all:
  - C:\Program Files\Google\Chrome\Application\
  - \Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level
filter_optional_edge:
  Details|contains:
  - C:\Program Files (x86)\Microsoft\Edge\Application\
  - C:\Program Files\Microsoft\Edge\Application\
  Details|endswith: \Installer\setup.exe" --configure-user-settings --verbose-logging
    --system-level --msedge --channel=stable
selection:
  TargetObject|contains: \Microsoft\Active Setup\Installed Components
  TargetObject|endswith: \StubPath